From 107709575511f6a92102243ada8c98747bad75e6 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 8 Aug 2019 09:32:32 +0200 Subject: [PATCH] 4.14-stable patches added patches: atm-iphase-fix-spectre-v1-vulnerability.patch bnx2x-disable-multi-cos-feature.patch compat_ioctl-pppoe-fix-pppoeiocsfwd-handling.patch ife-error-out-when-nla-attributes-are-empty.patch ip6_tunnel-fix-possible-use-after-free-on-xmit.patch mvpp2-refactor-mtu-change-code.patch net-bridge-delete-local-fdb-on-device-init-failure.patch net-bridge-mcast-don-t-delete-permanent-entries-when-fast-leave-is-enabled.patch net-fix-ifindex-collision-during-namespace-removal.patch net-mlx5-use-reversed-order-when-unregister-devices.patch net-mlx5e-prevent-encap-flow-counter-update-async-to-user-query.patch net-phylink-fix-flow-control-for-fixed-link.patch net-sched-fix-a-possible-null-pointer-dereference-in-dequeue_func.patch nfc-nfcmrvl-fix-gpio-handling-regression.patch tipc-compat-allow-tipc-commands-without-arguments.patch tun-mark-small-packets-as-owned-by-the-tap-sock.patch --- ...-iphase-fix-spectre-v1-vulnerability.patch | 62 ++++++++ .../bnx2x-disable-multi-cos-feature.patch | 35 +++++ ...octl-pppoe-fix-pppoeiocsfwd-handling.patch | 132 ++++++++++++++++++ ...or-out-when-nla-attributes-are-empty.patch | 35 +++++ ...-fix-possible-use-after-free-on-xmit.patch | 52 +++++++ .../mvpp2-refactor-mtu-change-code.patch | 85 +++++++++++ ...ete-local-fdb-on-device-init-failure.patch | 44 ++++++ ...t-entries-when-fast-leave-is-enabled.patch | 58 ++++++++ ...x-collision-during-namespace-removal.patch | 132 ++++++++++++++++++ ...versed-order-when-unregister-devices.patch | 43 ++++++ ...w-counter-update-async-to-user-query.patch | 98 +++++++++++++ ...link-fix-flow-control-for-fixed-link.patch | 54 +++++++ ...-pointer-dereference-in-dequeue_func.patch | 47 +++++++ ...nfcmrvl-fix-gpio-handling-regression.patch | 77 ++++++++++ queue-4.14/series | 16 +++ ...llow-tipc-commands-without-arguments.patch | 85 +++++++++++ ...all-packets-as-owned-by-the-tap-sock.patch | 43 ++++++ 17 files changed, 1098 insertions(+) create mode 100644 queue-4.14/atm-iphase-fix-spectre-v1-vulnerability.patch create mode 100644 queue-4.14/bnx2x-disable-multi-cos-feature.patch create mode 100644 queue-4.14/compat_ioctl-pppoe-fix-pppoeiocsfwd-handling.patch create mode 100644 queue-4.14/ife-error-out-when-nla-attributes-are-empty.patch create mode 100644 queue-4.14/ip6_tunnel-fix-possible-use-after-free-on-xmit.patch create mode 100644 queue-4.14/mvpp2-refactor-mtu-change-code.patch create mode 100644 queue-4.14/net-bridge-delete-local-fdb-on-device-init-failure.patch create mode 100644 queue-4.14/net-bridge-mcast-don-t-delete-permanent-entries-when-fast-leave-is-enabled.patch create mode 100644 queue-4.14/net-fix-ifindex-collision-during-namespace-removal.patch create mode 100644 queue-4.14/net-mlx5-use-reversed-order-when-unregister-devices.patch create mode 100644 queue-4.14/net-mlx5e-prevent-encap-flow-counter-update-async-to-user-query.patch create mode 100644 queue-4.14/net-phylink-fix-flow-control-for-fixed-link.patch create mode 100644 queue-4.14/net-sched-fix-a-possible-null-pointer-dereference-in-dequeue_func.patch create mode 100644 queue-4.14/nfc-nfcmrvl-fix-gpio-handling-regression.patch create mode 100644 queue-4.14/tipc-compat-allow-tipc-commands-without-arguments.patch create mode 100644 queue-4.14/tun-mark-small-packets-as-owned-by-the-tap-sock.patch diff --git a/queue-4.14/atm-iphase-fix-spectre-v1-vulnerability.patch b/queue-4.14/atm-iphase-fix-spectre-v1-vulnerability.patch new file mode 100644 index 00000000000..e4e5281bd1f --- /dev/null +++ b/queue-4.14/atm-iphase-fix-spectre-v1-vulnerability.patch @@ -0,0 +1,62 @@ +From foo@baz Thu 08 Aug 2019 08:59:04 AM CEST +From: "Gustavo A. R. Silva" +Date: Tue, 30 Jul 2019 22:21:41 -0500 +Subject: atm: iphase: Fix Spectre v1 vulnerability + +From: "Gustavo A. R. Silva" + +[ Upstream commit ea443e5e98b5b74e317ef3d26bcaea54931ccdee ] + +board is controlled by user-space, hence leading to a potential +exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +drivers/atm/iphase.c:2765 ia_ioctl() warn: potential spectre issue 'ia_dev' [r] (local cap) +drivers/atm/iphase.c:2774 ia_ioctl() warn: possible spectre second half. 'iadev' +drivers/atm/iphase.c:2782 ia_ioctl() warn: possible spectre second half. 'iadev' +drivers/atm/iphase.c:2816 ia_ioctl() warn: possible spectre second half. 'iadev' +drivers/atm/iphase.c:2823 ia_ioctl() warn: possible spectre second half. 'iadev' +drivers/atm/iphase.c:2830 ia_ioctl() warn: potential spectre issue '_ia_dev' [r] (local cap) +drivers/atm/iphase.c:2845 ia_ioctl() warn: possible spectre second half. 'iadev' +drivers/atm/iphase.c:2856 ia_ioctl() warn: possible spectre second half. 'iadev' + +Fix this by sanitizing board before using it to index ia_dev and _ia_dev + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/ + +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/atm/iphase.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/atm/iphase.c ++++ b/drivers/atm/iphase.c +@@ -63,6 +63,7 @@ + #include + #include + #include ++#include + #include "iphase.h" + #include "suni.h" + #define swap_byte_order(x) (((x & 0xff) << 8) | ((x & 0xff00) >> 8)) +@@ -2760,8 +2761,11 @@ static int ia_ioctl(struct atm_dev *dev, + } + if (copy_from_user(&ia_cmds, arg, sizeof ia_cmds)) return -EFAULT; + board = ia_cmds.status; +- if ((board < 0) || (board > iadev_count)) +- board = 0; ++ ++ if ((board < 0) || (board > iadev_count)) ++ board = 0; ++ board = array_index_nospec(board, iadev_count + 1); ++ + iadev = ia_dev[board]; + switch (ia_cmds.cmd) { + case MEMDUMP: diff --git a/queue-4.14/bnx2x-disable-multi-cos-feature.patch b/queue-4.14/bnx2x-disable-multi-cos-feature.patch new file mode 100644 index 00000000000..59162ee07f4 --- /dev/null +++ b/queue-4.14/bnx2x-disable-multi-cos-feature.patch @@ -0,0 +1,35 @@ +From foo@baz Thu 08 Aug 2019 08:59:04 AM CEST +From: Sudarsana Reddy Kalluru +Date: Tue, 23 Jul 2019 19:32:41 -0700 +Subject: bnx2x: Disable multi-cos feature. + +From: Sudarsana Reddy Kalluru + +[ Upstream commit d1f0b5dce8fda09a7f5f04c1878f181d548e42f5 ] + +Commit 3968d38917eb ("bnx2x: Fix Multi-Cos.") which enabled multi-cos +feature after prolonged time in driver added some regression causing +numerous issues (sudden reboots, tx timeout etc.) reported by customers. +We plan to backout this commit and submit proper fix once we have root +cause of issues reported with this feature enabled. + +Fixes: 3968d38917eb ("bnx2x: Fix Multi-Cos.") +Signed-off-by: Sudarsana Reddy Kalluru +Signed-off-by: Manish Chopra +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +@@ -1934,7 +1934,7 @@ u16 bnx2x_select_queue(struct net_device + } + + /* select a non-FCoE queue */ +- return fallback(dev, skb) % (BNX2X_NUM_ETH_QUEUES(bp) * bp->max_cos); ++ return fallback(dev, skb) % (BNX2X_NUM_ETH_QUEUES(bp)); + } + + void bnx2x_set_num_queues(struct bnx2x *bp) diff --git a/queue-4.14/compat_ioctl-pppoe-fix-pppoeiocsfwd-handling.patch b/queue-4.14/compat_ioctl-pppoe-fix-pppoeiocsfwd-handling.patch new file mode 100644 index 00000000000..acf0acf63c7 --- /dev/null +++ b/queue-4.14/compat_ioctl-pppoe-fix-pppoeiocsfwd-handling.patch @@ -0,0 +1,132 @@ +From foo@baz Thu 08 Aug 2019 08:59:04 AM CEST +From: Arnd Bergmann +Date: Tue, 30 Jul 2019 21:25:20 +0200 +Subject: compat_ioctl: pppoe: fix PPPOEIOCSFWD handling + +From: Arnd Bergmann + +[ Upstream commit 055d88242a6046a1ceac3167290f054c72571cd9 ] + +Support for handling the PPPOEIOCSFWD ioctl in compat mode was added in +linux-2.5.69 along with hundreds of other commands, but was always broken +sincen only the structure is compatible, but the command number is not, +due to the size being sizeof(size_t), or at first sizeof(sizeof((struct +sockaddr_pppox)), which is different on 64-bit architectures. + +Guillaume Nault adds: + + And the implementation was broken until 2016 (see 29e73269aa4d ("pppoe: + fix reference counting in PPPoE proxy")), and nobody ever noticed. I + should probably have removed this ioctl entirely instead of fixing it. + Clearly, it has never been used. + +Fix it by adding a compat_ioctl handler for all pppoe variants that +translates the command number and then calls the regular ioctl function. + +All other ioctl commands handled by pppoe are compatible between 32-bit +and 64-bit, and require compat_ptr() conversion. + +This should apply to all stable kernels. + +Acked-by: Guillaume Nault +Signed-off-by: Arnd Bergmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ppp/pppoe.c | 3 +++ + drivers/net/ppp/pppox.c | 13 +++++++++++++ + drivers/net/ppp/pptp.c | 3 +++ + fs/compat_ioctl.c | 3 --- + include/linux/if_pppox.h | 3 +++ + net/l2tp/l2tp_ppp.c | 3 +++ + 6 files changed, 25 insertions(+), 3 deletions(-) + +--- a/drivers/net/ppp/pppoe.c ++++ b/drivers/net/ppp/pppoe.c +@@ -1137,6 +1137,9 @@ static const struct proto_ops pppoe_ops + .recvmsg = pppoe_recvmsg, + .mmap = sock_no_mmap, + .ioctl = pppox_ioctl, ++#ifdef CONFIG_COMPAT ++ .compat_ioctl = pppox_compat_ioctl, ++#endif + }; + + static const struct pppox_proto pppoe_proto = { +--- a/drivers/net/ppp/pppox.c ++++ b/drivers/net/ppp/pppox.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -103,6 +104,18 @@ int pppox_ioctl(struct socket *sock, uns + + EXPORT_SYMBOL(pppox_ioctl); + ++#ifdef CONFIG_COMPAT ++int pppox_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) ++{ ++ if (cmd == PPPOEIOCSFWD32) ++ cmd = PPPOEIOCSFWD; ++ ++ return pppox_ioctl(sock, cmd, (unsigned long)compat_ptr(arg)); ++} ++ ++EXPORT_SYMBOL(pppox_compat_ioctl); ++#endif ++ + static int pppox_create(struct net *net, struct socket *sock, int protocol, + int kern) + { +--- a/drivers/net/ppp/pptp.c ++++ b/drivers/net/ppp/pptp.c +@@ -636,6 +636,9 @@ static const struct proto_ops pptp_ops = + .recvmsg = sock_no_recvmsg, + .mmap = sock_no_mmap, + .ioctl = pppox_ioctl, ++#ifdef CONFIG_COMPAT ++ .compat_ioctl = pppox_compat_ioctl, ++#endif + }; + + static const struct pppox_proto pppox_pptp_proto = { +--- a/fs/compat_ioctl.c ++++ b/fs/compat_ioctl.c +@@ -1032,9 +1032,6 @@ COMPATIBLE_IOCTL(PPPIOCDISCONN) + COMPATIBLE_IOCTL(PPPIOCATTCHAN) + COMPATIBLE_IOCTL(PPPIOCGCHAN) + COMPATIBLE_IOCTL(PPPIOCGL2TPSTATS) +-/* PPPOX */ +-COMPATIBLE_IOCTL(PPPOEIOCSFWD) +-COMPATIBLE_IOCTL(PPPOEIOCDFWD) + /* Big A */ + /* sparc only */ + /* Big Q for sound/OSS */ +--- a/include/linux/if_pppox.h ++++ b/include/linux/if_pppox.h +@@ -84,6 +84,9 @@ extern int register_pppox_proto(int prot + extern void unregister_pppox_proto(int proto_num); + extern void pppox_unbind_sock(struct sock *sk);/* delete ppp-channel binding */ + extern int pppox_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg); ++extern int pppox_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg); ++ ++#define PPPOEIOCSFWD32 _IOW(0xB1 ,0, compat_size_t) + + /* PPPoX socket states */ + enum { +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -1793,6 +1793,9 @@ static const struct proto_ops pppol2tp_o + .recvmsg = pppol2tp_recvmsg, + .mmap = sock_no_mmap, + .ioctl = pppox_ioctl, ++#ifdef CONFIG_COMPAT ++ .compat_ioctl = pppox_compat_ioctl, ++#endif + }; + + static const struct pppox_proto pppol2tp_proto = { diff --git a/queue-4.14/ife-error-out-when-nla-attributes-are-empty.patch b/queue-4.14/ife-error-out-when-nla-attributes-are-empty.patch new file mode 100644 index 00000000000..3ab557c99f0 --- /dev/null +++ b/queue-4.14/ife-error-out-when-nla-attributes-are-empty.patch @@ -0,0 +1,35 @@ +From foo@baz Thu 08 Aug 2019 08:59:04 AM CEST +From: Cong Wang +Date: Mon, 22 Jul 2019 21:43:00 -0700 +Subject: ife: error out when nla attributes are empty + +From: Cong Wang + +[ Upstream commit c8ec4632c6ac9cda0e8c3d51aa41eeab66585bd5 ] + +act_ife at least requires TCA_IFE_PARMS, so we have to bail out +when there is no attribute passed in. + +Reported-by: syzbot+fbb5b288c9cb6a2eeac4@syzkaller.appspotmail.com +Fixes: ef6980b6becb ("introduce IFE action") +Cc: Jamal Hadi Salim +Cc: Jiri Pirko +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_ife.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/sched/act_ife.c ++++ b/net/sched/act_ife.c +@@ -459,6 +459,9 @@ static int tcf_ife_init(struct net *net, + int ret = 0; + int err; + ++ if (!nla) ++ return -EINVAL; ++ + err = nla_parse_nested(tb, TCA_IFE_MAX, nla, ife_policy, NULL); + if (err < 0) + return err; diff --git a/queue-4.14/ip6_tunnel-fix-possible-use-after-free-on-xmit.patch b/queue-4.14/ip6_tunnel-fix-possible-use-after-free-on-xmit.patch new file mode 100644 index 00000000000..d75a3246f1b --- /dev/null +++ b/queue-4.14/ip6_tunnel-fix-possible-use-after-free-on-xmit.patch @@ -0,0 +1,52 @@ +From foo@baz Thu 08 Aug 2019 08:59:04 AM CEST +From: Haishuang Yan +Date: Fri, 26 Jul 2019 00:40:17 +0800 +Subject: ip6_tunnel: fix possible use-after-free on xmit + +From: Haishuang Yan + +[ Upstream commit 01f5bffad555f8e22a61f4b1261fe09cf1b96994 ] + +ip4ip6/ip6ip6 tunnels run iptunnel_handle_offloads on xmit which +can cause a possible use-after-free accessing iph/ipv6h pointer +since the packet will be 'uncloned' running pskb_expand_head if +it is a cloned gso skb. + +Fixes: 0e9a709560db ("ip6_tunnel, ip6_gre: fix setting of DSCP on encapsulated packets") +Signed-off-by: Haishuang Yan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_tunnel.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -1280,12 +1280,11 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, str + } + + fl6.flowi6_uid = sock_net_uid(dev_net(dev), NULL); ++ dsfield = INET_ECN_encapsulate(dsfield, ipv4_get_dsfield(iph)); + + if (iptunnel_handle_offloads(skb, SKB_GSO_IPXIP6)) + return -1; + +- dsfield = INET_ECN_encapsulate(dsfield, ipv4_get_dsfield(iph)); +- + skb_set_inner_ipproto(skb, IPPROTO_IPIP); + + err = ip6_tnl_xmit(skb, dev, dsfield, &fl6, encap_limit, &mtu, +@@ -1371,12 +1370,11 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, str + } + + fl6.flowi6_uid = sock_net_uid(dev_net(dev), NULL); ++ dsfield = INET_ECN_encapsulate(dsfield, ipv6_get_dsfield(ipv6h)); + + if (iptunnel_handle_offloads(skb, SKB_GSO_IPXIP6)) + return -1; + +- dsfield = INET_ECN_encapsulate(dsfield, ipv6_get_dsfield(ipv6h)); +- + skb_set_inner_ipproto(skb, IPPROTO_IPV6); + + err = ip6_tnl_xmit(skb, dev, dsfield, &fl6, encap_limit, &mtu, diff --git a/queue-4.14/mvpp2-refactor-mtu-change-code.patch b/queue-4.14/mvpp2-refactor-mtu-change-code.patch new file mode 100644 index 00000000000..9b82b2cd619 --- /dev/null +++ b/queue-4.14/mvpp2-refactor-mtu-change-code.patch @@ -0,0 +1,85 @@ +From foo@baz Thu 08 Aug 2019 08:59:04 AM CEST +From: Matteo Croce +Date: Sun, 28 Jul 2019 02:46:45 +0200 +Subject: mvpp2: refactor MTU change code + +From: Matteo Croce + +[ Upstream commit 230bd958c2c846ee292aa38bc6b006296c24ca01 ] + +The MTU change code can call napi_disable() with the device already down, +leading to a deadlock. Also, lot of code is duplicated unnecessarily. + +Rework mvpp2_change_mtu() to avoid the deadlock and remove duplicated code. + +Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit") +Signed-off-by: Matteo Croce +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvpp2.c | 41 +++++++++++------------------------ + 1 file changed, 13 insertions(+), 28 deletions(-) + +--- a/drivers/net/ethernet/marvell/mvpp2.c ++++ b/drivers/net/ethernet/marvell/mvpp2.c +@@ -6952,6 +6952,7 @@ log_error: + static int mvpp2_change_mtu(struct net_device *dev, int mtu) + { + struct mvpp2_port *port = netdev_priv(dev); ++ bool running = netif_running(dev); + int err; + + if (!IS_ALIGNED(MVPP2_RX_PKT_SIZE(mtu), 8)) { +@@ -6960,40 +6961,24 @@ static int mvpp2_change_mtu(struct net_d + mtu = ALIGN(MVPP2_RX_PKT_SIZE(mtu), 8); + } + +- if (!netif_running(dev)) { +- err = mvpp2_bm_update_mtu(dev, mtu); +- if (!err) { +- port->pkt_size = MVPP2_RX_PKT_SIZE(mtu); +- return 0; +- } ++ if (running) ++ mvpp2_stop_dev(port); + ++ err = mvpp2_bm_update_mtu(dev, mtu); ++ if (err) { ++ netdev_err(dev, "failed to change MTU\n"); + /* Reconfigure BM to the original MTU */ +- err = mvpp2_bm_update_mtu(dev, dev->mtu); +- if (err) +- goto log_error; ++ mvpp2_bm_update_mtu(dev, dev->mtu); ++ } else { ++ port->pkt_size = MVPP2_RX_PKT_SIZE(mtu); + } + +- mvpp2_stop_dev(port); +- +- err = mvpp2_bm_update_mtu(dev, mtu); +- if (!err) { +- port->pkt_size = MVPP2_RX_PKT_SIZE(mtu); +- goto out_start; ++ if (running) { ++ mvpp2_start_dev(port); ++ mvpp2_egress_enable(port); ++ mvpp2_ingress_enable(port); + } + +- /* Reconfigure BM to the original MTU */ +- err = mvpp2_bm_update_mtu(dev, dev->mtu); +- if (err) +- goto log_error; +- +-out_start: +- mvpp2_start_dev(port); +- mvpp2_egress_enable(port); +- mvpp2_ingress_enable(port); +- +- return 0; +-log_error: +- netdev_err(dev, "failed to change MTU\n"); + return err; + } + diff --git a/queue-4.14/net-bridge-delete-local-fdb-on-device-init-failure.patch b/queue-4.14/net-bridge-delete-local-fdb-on-device-init-failure.patch new file mode 100644 index 00000000000..7c471e1dd12 --- /dev/null +++ b/queue-4.14/net-bridge-delete-local-fdb-on-device-init-failure.patch @@ -0,0 +1,44 @@ +From foo@baz Thu 08 Aug 2019 08:59:04 AM CEST +From: Nikolay Aleksandrov +Date: Mon, 29 Jul 2019 12:28:41 +0300 +Subject: net: bridge: delete local fdb on device init failure + +From: Nikolay Aleksandrov + +[ Upstream commit d7bae09fa008c6c9a489580db0a5a12063b97f97 ] + +On initialization failure we have to delete the local fdb which was +inserted due to the default pvid creation. This problem has been present +since the inception of default_pvid. Note that currently there are 2 cases: +1) in br_dev_init() when br_multicast_init() fails +2) if register_netdevice() fails after calling ndo_init() + +This patch takes care of both since br_vlan_flush() is called on both +occasions. Also the new fdb delete would be a no-op on normal bridge +device destruction since the local fdb would've been already flushed by +br_dev_delete(). This is not an issue for ports since nbp_vlan_init() is +called last when adding a port thus nothing can fail after it. + +Reported-by: syzbot+88533dc8b582309bf3ee@syzkaller.appspotmail.com +Fixes: 5be5a2df40f0 ("bridge: Add filtering support for default_pvid") +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_vlan.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/bridge/br_vlan.c ++++ b/net/bridge/br_vlan.c +@@ -636,6 +636,11 @@ void br_vlan_flush(struct net_bridge *br + + ASSERT_RTNL(); + ++ /* delete auto-added default pvid local fdb before flushing vlans ++ * otherwise it will be leaked on bridge device init failure ++ */ ++ br_fdb_delete_by_port(br, NULL, 0, 1); ++ + vg = br_vlan_group(br); + __vlan_flush(vg); + RCU_INIT_POINTER(br->vlgrp, NULL); diff --git a/queue-4.14/net-bridge-mcast-don-t-delete-permanent-entries-when-fast-leave-is-enabled.patch b/queue-4.14/net-bridge-mcast-don-t-delete-permanent-entries-when-fast-leave-is-enabled.patch new file mode 100644 index 00000000000..745c546648f --- /dev/null +++ b/queue-4.14/net-bridge-mcast-don-t-delete-permanent-entries-when-fast-leave-is-enabled.patch @@ -0,0 +1,58 @@ +From foo@baz Thu 08 Aug 2019 08:59:04 AM CEST +From: Nikolay Aleksandrov +Date: Tue, 30 Jul 2019 14:21:00 +0300 +Subject: net: bridge: mcast: don't delete permanent entries when fast leave is enabled + +From: Nikolay Aleksandrov + +[ Upstream commit 5c725b6b65067909548ac9ca9bc777098ec9883d ] + +When permanent entries were introduced by the commit below, they were +exempt from timing out and thus igmp leave wouldn't affect them unless +fast leave was enabled on the port which was added before permanent +entries existed. It shouldn't matter if fast leave is enabled or not +if the user added a permanent entry it shouldn't be deleted on igmp +leave. + +Before: +$ echo 1 > /sys/class/net/eth4/brport/multicast_fast_leave +$ bridge mdb add dev br0 port eth4 grp 229.1.1.1 permanent +$ bridge mdb show +dev br0 port eth4 grp 229.1.1.1 permanent + +< join and leave 229.1.1.1 on eth4 > + +$ bridge mdb show +$ + +After: +$ echo 1 > /sys/class/net/eth4/brport/multicast_fast_leave +$ bridge mdb add dev br0 port eth4 grp 229.1.1.1 permanent +$ bridge mdb show +dev br0 port eth4 grp 229.1.1.1 permanent + +< join and leave 229.1.1.1 on eth4 > + +$ bridge mdb show +dev br0 port eth4 grp 229.1.1.1 permanent + +Fixes: ccb1c31a7a87 ("bridge: add flags to distinguish permanent mdb entires") +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_multicast.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -1593,6 +1593,9 @@ br_multicast_leave_group(struct net_brid + if (!br_port_group_equal(p, port, src)) + continue; + ++ if (p->flags & MDB_PG_FLAGS_PERMANENT) ++ break; ++ + rcu_assign_pointer(*pp, p->next); + hlist_del_init(&p->mglist); + del_timer(&p->timer); diff --git a/queue-4.14/net-fix-ifindex-collision-during-namespace-removal.patch b/queue-4.14/net-fix-ifindex-collision-during-namespace-removal.patch new file mode 100644 index 00000000000..50991861469 --- /dev/null +++ b/queue-4.14/net-fix-ifindex-collision-during-namespace-removal.patch @@ -0,0 +1,132 @@ +From foo@baz Thu 08 Aug 2019 08:59:04 AM CEST +From: Jiri Pirko +Date: Sun, 28 Jul 2019 14:56:36 +0200 +Subject: net: fix ifindex collision during namespace removal + +From: Jiri Pirko + +[ Upstream commit 55b40dbf0e76b4bfb9d8b3a16a0208640a9a45df ] + +Commit aca51397d014 ("netns: Fix arbitrary net_device-s corruptions +on net_ns stop.") introduced a possibility to hit a BUG in case device +is returning back to init_net and two following conditions are met: +1) dev->ifindex value is used in a name of another "dev%d" + device in init_net. +2) dev->name is used by another device in init_net. + +Under real life circumstances this is hard to get. Therefore this has +been present happily for over 10 years. To reproduce: + +$ ip a +1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever + inet6 ::1/128 scope host + valid_lft forever preferred_lft forever +2: dummy0: mtu 1500 qdisc noop state DOWN group default qlen 1000 + link/ether 86:89:3f:86:61:29 brd ff:ff:ff:ff:ff:ff +3: enp0s2: mtu 1500 qdisc noop state DOWN group default qlen 1000 + link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff +$ ip netns add ns1 +$ ip -n ns1 link add dummy1ns1 type dummy +$ ip -n ns1 link add dummy2ns1 type dummy +$ ip link set enp0s2 netns ns1 +$ ip -n ns1 link set enp0s2 name dummy0 +[ 100.858894] virtio_net virtio0 dummy0: renamed from enp0s2 +$ ip link add dev4 type dummy +$ ip -n ns1 a +1: lo: mtu 65536 qdisc noop state DOWN group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 +2: dummy1ns1: mtu 1500 qdisc noop state DOWN group default qlen 1000 + link/ether 16:63:4c:38:3e:ff brd ff:ff:ff:ff:ff:ff +3: dummy2ns1: mtu 1500 qdisc noop state DOWN group default qlen 1000 + link/ether aa:9e:86:dd:6b:5d brd ff:ff:ff:ff:ff:ff +4: dummy0: mtu 1500 qdisc noop state DOWN group default qlen 1000 + link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff +$ ip a +1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever + inet6 ::1/128 scope host + valid_lft forever preferred_lft forever +2: dummy0: mtu 1500 qdisc noop state DOWN group default qlen 1000 + link/ether 86:89:3f:86:61:29 brd ff:ff:ff:ff:ff:ff +4: dev4: mtu 1500 qdisc noop state DOWN group default qlen 1000 + link/ether 5a:e1:4a:b6:ec:f8 brd ff:ff:ff:ff:ff:ff +$ ip netns del ns1 +[ 158.717795] default_device_exit: failed to move dummy0 to init_net: -17 +[ 158.719316] ------------[ cut here ]------------ +[ 158.720591] kernel BUG at net/core/dev.c:9824! +[ 158.722260] invalid opcode: 0000 [#1] SMP KASAN PTI +[ 158.723728] CPU: 0 PID: 56 Comm: kworker/u2:1 Not tainted 5.3.0-rc1+ #18 +[ 158.725422] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014 +[ 158.727508] Workqueue: netns cleanup_net +[ 158.728915] RIP: 0010:default_device_exit.cold+0x1d/0x1f +[ 158.730683] Code: 84 e8 18 c9 3e fe 0f 0b e9 70 90 ff ff e8 36 e4 52 fe 89 d9 4c 89 e2 48 c7 c6 80 d6 25 84 48 c7 c7 20 c0 25 84 e8 f4 c8 3e +[ 158.736854] RSP: 0018:ffff8880347e7b90 EFLAGS: 00010282 +[ 158.738752] RAX: 000000000000003b RBX: 00000000ffffffef RCX: 0000000000000000 +[ 158.741369] RDX: 0000000000000000 RSI: ffffffff8128013d RDI: ffffed10068fcf64 +[ 158.743418] RBP: ffff888033550170 R08: 000000000000003b R09: fffffbfff0b94b9c +[ 158.745626] R10: fffffbfff0b94b9b R11: ffffffff85ca5cdf R12: ffff888032f28000 +[ 158.748405] R13: dffffc0000000000 R14: ffff8880335501b8 R15: 1ffff110068fcf72 +[ 158.750638] FS: 0000000000000000(0000) GS:ffff888036000000(0000) knlGS:0000000000000000 +[ 158.752944] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 158.755245] CR2: 00007fe8b45d21d0 CR3: 00000000340b4005 CR4: 0000000000360ef0 +[ 158.757654] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 158.760012] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 158.762758] Call Trace: +[ 158.763882] ? dev_change_net_namespace+0xbb0/0xbb0 +[ 158.766148] ? devlink_nl_cmd_set_doit+0x520/0x520 +[ 158.768034] ? dev_change_net_namespace+0xbb0/0xbb0 +[ 158.769870] ops_exit_list.isra.0+0xa8/0x150 +[ 158.771544] cleanup_net+0x446/0x8f0 +[ 158.772945] ? unregister_pernet_operations+0x4a0/0x4a0 +[ 158.775294] process_one_work+0xa1a/0x1740 +[ 158.776896] ? pwq_dec_nr_in_flight+0x310/0x310 +[ 158.779143] ? do_raw_spin_lock+0x11b/0x280 +[ 158.780848] worker_thread+0x9e/0x1060 +[ 158.782500] ? process_one_work+0x1740/0x1740 +[ 158.784454] kthread+0x31b/0x420 +[ 158.786082] ? __kthread_create_on_node+0x3f0/0x3f0 +[ 158.788286] ret_from_fork+0x3a/0x50 +[ 158.789871] ---[ end trace defd6c657c71f936 ]--- +[ 158.792273] RIP: 0010:default_device_exit.cold+0x1d/0x1f +[ 158.795478] Code: 84 e8 18 c9 3e fe 0f 0b e9 70 90 ff ff e8 36 e4 52 fe 89 d9 4c 89 e2 48 c7 c6 80 d6 25 84 48 c7 c7 20 c0 25 84 e8 f4 c8 3e +[ 158.804854] RSP: 0018:ffff8880347e7b90 EFLAGS: 00010282 +[ 158.807865] RAX: 000000000000003b RBX: 00000000ffffffef RCX: 0000000000000000 +[ 158.811794] RDX: 0000000000000000 RSI: ffffffff8128013d RDI: ffffed10068fcf64 +[ 158.816652] RBP: ffff888033550170 R08: 000000000000003b R09: fffffbfff0b94b9c +[ 158.820930] R10: fffffbfff0b94b9b R11: ffffffff85ca5cdf R12: ffff888032f28000 +[ 158.825113] R13: dffffc0000000000 R14: ffff8880335501b8 R15: 1ffff110068fcf72 +[ 158.829899] FS: 0000000000000000(0000) GS:ffff888036000000(0000) knlGS:0000000000000000 +[ 158.834923] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 158.838164] CR2: 00007fe8b45d21d0 CR3: 00000000340b4005 CR4: 0000000000360ef0 +[ 158.841917] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 158.845149] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + +Fix this by checking if a device with the same name exists in init_net +and fallback to original code - dev%d to allocate name - in case it does. + +This was found using syzkaller. + +Fixes: aca51397d014 ("netns: Fix arbitrary net_device-s corruptions on net_ns stop.") +Signed-off-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -8652,6 +8652,8 @@ static void __net_exit default_device_ex + + /* Push remaining network devices to init_net */ + snprintf(fb_name, IFNAMSIZ, "dev%d", dev->ifindex); ++ if (__dev_get_by_name(&init_net, fb_name)) ++ snprintf(fb_name, IFNAMSIZ, "dev%%d"); + err = dev_change_net_namespace(dev, &init_net, fb_name); + if (err) { + pr_emerg("%s: failed to move %s to init_net: %d\n", diff --git a/queue-4.14/net-mlx5-use-reversed-order-when-unregister-devices.patch b/queue-4.14/net-mlx5-use-reversed-order-when-unregister-devices.patch new file mode 100644 index 00000000000..b7813fd65dd --- /dev/null +++ b/queue-4.14/net-mlx5-use-reversed-order-when-unregister-devices.patch @@ -0,0 +1,43 @@ +From foo@baz Thu 08 Aug 2019 08:59:04 AM CEST +From: Mark Zhang +Date: Tue, 9 Jul 2019 05:37:12 +0300 +Subject: net/mlx5: Use reversed order when unregister devices + +From: Mark Zhang + +[ Upstream commit 08aa5e7da6bce1a1963f63cf32c2e7ad434ad578 ] + +When lag is active, which is controlled by the bonded mlx5e netdev, mlx5 +interface unregestering must happen in the reverse order where rdma is +unregistered (unloaded) first, to guarantee all references to the lag +context in hardware is removed, then remove mlx5e netdev interface which +will cleanup the lag context from hardware. + +Without this fix during destroy of LAG interface, we observed following +errors: + * mlx5_cmd_check:752:(pid 12556): DESTROY_LAG(0x843) op_mod(0x0) failed, + status bad parameter(0x3), syndrome (0xe4ac33) + * mlx5_cmd_check:752:(pid 12556): DESTROY_LAG(0x843) op_mod(0x0) failed, + status bad parameter(0x3), syndrome (0xa5aee8). + +Fixes: a31208b1e11d ("net/mlx5_core: New init and exit flow for mlx5_core") +Reviewed-by: Parav Pandit +Reviewed-by: Leon Romanovsky +Signed-off-by: Mark Zhang +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/dev.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/dev.c +@@ -307,7 +307,7 @@ void mlx5_unregister_device(struct mlx5_ + struct mlx5_interface *intf; + + mutex_lock(&mlx5_intf_mutex); +- list_for_each_entry(intf, &intf_list, list) ++ list_for_each_entry_reverse(intf, &intf_list, list) + mlx5_remove_device(intf, priv); + list_del(&priv->dev_list); + mutex_unlock(&mlx5_intf_mutex); diff --git a/queue-4.14/net-mlx5e-prevent-encap-flow-counter-update-async-to-user-query.patch b/queue-4.14/net-mlx5e-prevent-encap-flow-counter-update-async-to-user-query.patch new file mode 100644 index 00000000000..994aba5d1e8 --- /dev/null +++ b/queue-4.14/net-mlx5e-prevent-encap-flow-counter-update-async-to-user-query.patch @@ -0,0 +1,98 @@ +From foo@baz Thu 08 Aug 2019 08:59:04 AM CEST +From: Ariel Levkovich +Date: Sat, 6 Jul 2019 18:06:15 +0300 +Subject: net/mlx5e: Prevent encap flow counter update async to user query + +From: Ariel Levkovich + +[ Upstream commit 90bb769291161cf25a818d69cf608c181654473e ] + +This patch prevents a race between user invoked cached counters +query and a neighbor last usage updater. + +The cached flow counter stats can be queried by calling +"mlx5_fc_query_cached" which provides the number of bytes and +packets that passed via this flow since the last time this counter +was queried. +It does so by reducting the last saved stats from the current, cached +stats and then updating the last saved stats with the cached stats. +It also provide the lastuse value for that flow. + +Since "mlx5e_tc_update_neigh_used_value" needs to retrieve the +last usage time of encapsulation flows, it calls the flow counter +query method periodically and async to user queries of the flow counter +using cls_flower. +This call is causing the driver to update the last reported bytes and +packets from the cache and therefore, future user queries of the flow +stats will return lower than expected number for bytes and packets +since the last saved stats in the driver was updated async to the last +saved stats in cls_flower. + +This causes wrong stats presentation of encapsulation flows to user. + +Since the neighbor usage updater only needs the lastuse stats from the +cached counter, the fix is to use a dedicated lastuse query call that +returns the lastuse value without synching between the cached stats and +the last saved stats. + +Fixes: f6dfb4c3f216 ("net/mlx5e: Update neighbour 'used' state using HW flow rules counters") +Signed-off-by: Ariel Levkovich +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 4 ++-- + drivers/net/ethernet/mellanox/mlx5/core/fs_counters.c | 5 +++++ + include/linux/mlx5/fs.h | 1 + + 3 files changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -473,13 +473,13 @@ void mlx5e_tc_encap_flows_del(struct mlx + void mlx5e_tc_update_neigh_used_value(struct mlx5e_neigh_hash_entry *nhe) + { + struct mlx5e_neigh *m_neigh = &nhe->m_neigh; +- u64 bytes, packets, lastuse = 0; + struct mlx5e_tc_flow *flow; + struct mlx5e_encap_entry *e; + struct mlx5_fc *counter; + struct neigh_table *tbl; + bool neigh_used = false; + struct neighbour *n; ++ u64 lastuse; + + if (m_neigh->family == AF_INET) + tbl = &arp_tbl; +@@ -496,7 +496,7 @@ void mlx5e_tc_update_neigh_used_value(st + list_for_each_entry(flow, &e->flows, encap) { + if (flow->flags & MLX5E_TC_FLOW_OFFLOADED) { + counter = mlx5_flow_rule_counter(flow->rule); +- mlx5_fc_query_cached(counter, &bytes, &packets, &lastuse); ++ lastuse = mlx5_fc_query_lastuse(counter); + if (time_after((unsigned long)lastuse, nhe->reported_lastuse)) { + neigh_used = true; + break; +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_counters.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_counters.c +@@ -312,6 +312,11 @@ void mlx5_cleanup_fc_stats(struct mlx5_c + } + } + ++u64 mlx5_fc_query_lastuse(struct mlx5_fc *counter) ++{ ++ return counter->cache.lastuse; ++} ++ + void mlx5_fc_query_cached(struct mlx5_fc *counter, + u64 *bytes, u64 *packets, u64 *lastuse) + { +--- a/include/linux/mlx5/fs.h ++++ b/include/linux/mlx5/fs.h +@@ -164,6 +164,7 @@ int mlx5_modify_rule_destination(struct + struct mlx5_fc *mlx5_flow_rule_counter(struct mlx5_flow_handle *handler); + struct mlx5_fc *mlx5_fc_create(struct mlx5_core_dev *dev, bool aging); + void mlx5_fc_destroy(struct mlx5_core_dev *dev, struct mlx5_fc *counter); ++u64 mlx5_fc_query_lastuse(struct mlx5_fc *counter); + void mlx5_fc_query_cached(struct mlx5_fc *counter, + u64 *bytes, u64 *packets, u64 *lastuse); + int mlx5_fs_add_rx_underlay_qpn(struct mlx5_core_dev *dev, u32 underlay_qpn); diff --git a/queue-4.14/net-phylink-fix-flow-control-for-fixed-link.patch b/queue-4.14/net-phylink-fix-flow-control-for-fixed-link.patch new file mode 100644 index 00000000000..aee21872ce6 --- /dev/null +++ b/queue-4.14/net-phylink-fix-flow-control-for-fixed-link.patch @@ -0,0 +1,54 @@ +From foo@baz Thu 08 Aug 2019 08:59:04 AM CEST +From: "René van Dorst" +Date: Sat, 27 Jul 2019 11:40:11 +0200 +Subject: net: phylink: Fix flow control for fixed-link + +From: "René van Dorst" + +[ Upstream commit 8aace4f3eba2a3ceb431e18683ea0e1ecbade5cd ] + +In phylink_parse_fixedlink() the pl->link_config.advertising bits are AND +with pl->supported, pl->supported is zeroed and only the speed/duplex +modes and MII bits are set. +So pl->link_config.advertising always loses the flow control/pause bits. + +By setting Pause and Asym_Pause bits in pl->supported, the flow control +work again when devicetree "pause" is set in fixes-link node and the MAC +advertise that is supports pause. + +Results with this patch. + +Legend: +- DT = 'Pause' is set in the fixed-link in devicetree. +- validate() = ‘Yes’ means phylink_set(mask, Pause) is set in the + validate(). +- flow = results reported my link is Up line. + ++-----+------------+-------+ +| DT | validate() | flow | ++-----+------------+-------+ +| Yes | Yes | rx/tx | +| No | Yes | off | +| Yes | No | off | ++-----+------------+-------+ + +Fixes: 9525ae83959b ("phylink: add phylink infrastructure") +Signed-off-by: René van Dorst +Acked-by: Russell King +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phylink.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/phy/phylink.c ++++ b/drivers/net/phy/phylink.c +@@ -203,6 +203,8 @@ static int phylink_parse_fixedlink(struc + __ETHTOOL_LINK_MODE_MASK_NBITS, true); + linkmode_zero(pl->supported); + phylink_set(pl->supported, MII); ++ phylink_set(pl->supported, Pause); ++ phylink_set(pl->supported, Asym_Pause); + if (s) { + __set_bit(s->bit, pl->supported); + } else { diff --git a/queue-4.14/net-sched-fix-a-possible-null-pointer-dereference-in-dequeue_func.patch b/queue-4.14/net-sched-fix-a-possible-null-pointer-dereference-in-dequeue_func.patch new file mode 100644 index 00000000000..e93c8ddc882 --- /dev/null +++ b/queue-4.14/net-sched-fix-a-possible-null-pointer-dereference-in-dequeue_func.patch @@ -0,0 +1,47 @@ +From foo@baz Thu 08 Aug 2019 08:59:04 AM CEST +From: Jia-Ju Bai +Date: Mon, 29 Jul 2019 16:24:33 +0800 +Subject: net: sched: Fix a possible null-pointer dereference in dequeue_func() + +From: Jia-Ju Bai + +[ Upstream commit 051c7b39be4a91f6b7d8c4548444e4b850f1f56c ] + +In dequeue_func(), there is an if statement on line 74 to check whether +skb is NULL: + if (skb) + +When skb is NULL, it is used on line 77: + prefetch(&skb->end); + +Thus, a possible null-pointer dereference may occur. + +To fix this bug, skb->end is used when skb is not NULL. + +This bug is found by a static analysis tool STCheck written by us. + +Fixes: 76e3cc126bb2 ("codel: Controlled Delay AQM") +Signed-off-by: Jia-Ju Bai +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_codel.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/sched/sch_codel.c ++++ b/net/sched/sch_codel.c +@@ -71,10 +71,10 @@ static struct sk_buff *dequeue_func(stru + struct Qdisc *sch = ctx; + struct sk_buff *skb = __qdisc_dequeue_head(&sch->q); + +- if (skb) ++ if (skb) { + sch->qstats.backlog -= qdisc_pkt_len(skb); +- +- prefetch(&skb->end); /* we'll need skb_shinfo() */ ++ prefetch(&skb->end); /* we'll need skb_shinfo() */ ++ } + return skb; + } + diff --git a/queue-4.14/nfc-nfcmrvl-fix-gpio-handling-regression.patch b/queue-4.14/nfc-nfcmrvl-fix-gpio-handling-regression.patch new file mode 100644 index 00000000000..61e81641497 --- /dev/null +++ b/queue-4.14/nfc-nfcmrvl-fix-gpio-handling-regression.patch @@ -0,0 +1,77 @@ +From foo@baz Thu 08 Aug 2019 08:59:04 AM CEST +From: Johan Hovold +Date: Mon, 5 Aug 2019 12:00:55 +0200 +Subject: NFC: nfcmrvl: fix gpio-handling regression + +From: Johan Hovold + +[ Upstream commit c3953a3c2d3175d2f9f0304c9a1ba89e7743c5e4 ] + +Fix two reset-gpio sanity checks which were never converted to use +gpio_is_valid(), and make sure to use -EINVAL to indicate a missing +reset line also for the UART-driver module parameter and for the USB +driver. + +This specifically prevents the UART and USB drivers from incidentally +trying to request and use gpio 0, and also avoids triggering a WARN() in +gpio_to_desc() during probe when no valid reset line has been specified. + +Fixes: e33a3f84f88f ("NFC: nfcmrvl: allow gpio 0 for reset signalling") +Reported-by: syzbot+cf35b76f35e068a1107f@syzkaller.appspotmail.com +Tested-by: syzbot+cf35b76f35e068a1107f@syzkaller.appspotmail.com +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nfc/nfcmrvl/main.c | 4 ++-- + drivers/nfc/nfcmrvl/uart.c | 4 ++-- + drivers/nfc/nfcmrvl/usb.c | 1 + + 3 files changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/nfc/nfcmrvl/main.c ++++ b/drivers/nfc/nfcmrvl/main.c +@@ -244,7 +244,7 @@ void nfcmrvl_chip_reset(struct nfcmrvl_p + /* Reset possible fault of previous session */ + clear_bit(NFCMRVL_PHY_ERROR, &priv->flags); + +- if (priv->config.reset_n_io) { ++ if (gpio_is_valid(priv->config.reset_n_io)) { + nfc_info(priv->dev, "reset the chip\n"); + gpio_set_value(priv->config.reset_n_io, 0); + usleep_range(5000, 10000); +@@ -255,7 +255,7 @@ void nfcmrvl_chip_reset(struct nfcmrvl_p + + void nfcmrvl_chip_halt(struct nfcmrvl_private *priv) + { +- if (priv->config.reset_n_io) ++ if (gpio_is_valid(priv->config.reset_n_io)) + gpio_set_value(priv->config.reset_n_io, 0); + } + +--- a/drivers/nfc/nfcmrvl/uart.c ++++ b/drivers/nfc/nfcmrvl/uart.c +@@ -26,7 +26,7 @@ + static unsigned int hci_muxed; + static unsigned int flow_control; + static unsigned int break_control; +-static unsigned int reset_n_io; ++static int reset_n_io = -EINVAL; + + /* + ** NFCMRVL NCI OPS +@@ -231,5 +231,5 @@ MODULE_PARM_DESC(break_control, "Tell if + module_param(hci_muxed, uint, 0); + MODULE_PARM_DESC(hci_muxed, "Tell if transport is muxed in HCI one."); + +-module_param(reset_n_io, uint, 0); ++module_param(reset_n_io, int, 0); + MODULE_PARM_DESC(reset_n_io, "GPIO that is wired to RESET_N signal."); +--- a/drivers/nfc/nfcmrvl/usb.c ++++ b/drivers/nfc/nfcmrvl/usb.c +@@ -304,6 +304,7 @@ static int nfcmrvl_probe(struct usb_inte + + /* No configuration for USB */ + memset(&config, 0, sizeof(config)); ++ config.reset_n_io = -EINVAL; + + nfc_info(&udev->dev, "intf %p id %p\n", intf, id); + diff --git a/queue-4.14/series b/queue-4.14/series index a33a24331d8..ce4c19a3161 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -9,3 +9,19 @@ rdma-directly-cast-the-sockaddr-union-to-sockaddr.patch ib-directly-cast-the-sockaddr-union-to-aockaddr.patch objtool-add-machine_real_restart-to-the-noreturn-list.patch objtool-add-rewind_stack_do_exit-to-the-noreturn-list.patch +atm-iphase-fix-spectre-v1-vulnerability.patch +ife-error-out-when-nla-attributes-are-empty.patch +ip6_tunnel-fix-possible-use-after-free-on-xmit.patch +net-bridge-delete-local-fdb-on-device-init-failure.patch +net-bridge-mcast-don-t-delete-permanent-entries-when-fast-leave-is-enabled.patch +net-fix-ifindex-collision-during-namespace-removal.patch +net-mlx5-use-reversed-order-when-unregister-devices.patch +net-phylink-fix-flow-control-for-fixed-link.patch +net-sched-fix-a-possible-null-pointer-dereference-in-dequeue_func.patch +nfc-nfcmrvl-fix-gpio-handling-regression.patch +tipc-compat-allow-tipc-commands-without-arguments.patch +compat_ioctl-pppoe-fix-pppoeiocsfwd-handling.patch +net-mlx5e-prevent-encap-flow-counter-update-async-to-user-query.patch +tun-mark-small-packets-as-owned-by-the-tap-sock.patch +mvpp2-refactor-mtu-change-code.patch +bnx2x-disable-multi-cos-feature.patch diff --git a/queue-4.14/tipc-compat-allow-tipc-commands-without-arguments.patch b/queue-4.14/tipc-compat-allow-tipc-commands-without-arguments.patch new file mode 100644 index 00000000000..4d9bbec611d --- /dev/null +++ b/queue-4.14/tipc-compat-allow-tipc-commands-without-arguments.patch @@ -0,0 +1,85 @@ +From foo@baz Thu 08 Aug 2019 08:59:04 AM CEST +From: Taras Kondratiuk +Date: Mon, 29 Jul 2019 22:15:07 +0000 +Subject: tipc: compat: allow tipc commands without arguments + +From: Taras Kondratiuk + +[ Upstream commit 4da5f0018eef4c0de31675b670c80e82e13e99d1 ] + +Commit 2753ca5d9009 ("tipc: fix uninit-value in tipc_nl_compat_doit") +broke older tipc tools that use compat interface (e.g. tipc-config from +tipcutils package): + +% tipc-config -p +operation not supported + +The commit started to reject TIPC netlink compat messages that do not +have attributes. It is too restrictive because some of such messages are +valid (they don't need any arguments): + +% grep 'tx none' include/uapi/linux/tipc_config.h +#define TIPC_CMD_NOOP 0x0000 /* tx none, rx none */ +#define TIPC_CMD_GET_MEDIA_NAMES 0x0002 /* tx none, rx media_name(s) */ +#define TIPC_CMD_GET_BEARER_NAMES 0x0003 /* tx none, rx bearer_name(s) */ +#define TIPC_CMD_SHOW_PORTS 0x0006 /* tx none, rx ultra_string */ +#define TIPC_CMD_GET_REMOTE_MNG 0x4003 /* tx none, rx unsigned */ +#define TIPC_CMD_GET_MAX_PORTS 0x4004 /* tx none, rx unsigned */ +#define TIPC_CMD_GET_NETID 0x400B /* tx none, rx unsigned */ +#define TIPC_CMD_NOT_NET_ADMIN 0xC001 /* tx none, rx none */ + +This patch relaxes the original fix and rejects messages without +arguments only if such arguments are expected by a command (reg_type is +non zero). + +Fixes: 2753ca5d9009 ("tipc: fix uninit-value in tipc_nl_compat_doit") +Cc: stable@vger.kernel.org +Signed-off-by: Taras Kondratiuk +Acked-by: Ying Xue +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/netlink_compat.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -55,6 +55,7 @@ struct tipc_nl_compat_msg { + int rep_type; + int rep_size; + int req_type; ++ int req_size; + struct net *net; + struct sk_buff *rep; + struct tlv_desc *req; +@@ -252,7 +253,8 @@ static int tipc_nl_compat_dumpit(struct + int err; + struct sk_buff *arg; + +- if (msg->req_type && !TLV_CHECK_TYPE(msg->req, msg->req_type)) ++ if (msg->req_type && (!msg->req_size || ++ !TLV_CHECK_TYPE(msg->req, msg->req_type))) + return -EINVAL; + + msg->rep = tipc_tlv_alloc(msg->rep_size); +@@ -345,7 +347,8 @@ static int tipc_nl_compat_doit(struct ti + { + int err; + +- if (msg->req_type && !TLV_CHECK_TYPE(msg->req, msg->req_type)) ++ if (msg->req_type && (!msg->req_size || ++ !TLV_CHECK_TYPE(msg->req, msg->req_type))) + return -EINVAL; + + err = __tipc_nl_compat_doit(cmd, msg); +@@ -1267,8 +1270,8 @@ static int tipc_nl_compat_recv(struct sk + goto send; + } + +- len = nlmsg_attrlen(req_nlh, GENL_HDRLEN + TIPC_GENL_HDRLEN); +- if (!len || !TLV_OK(msg.req, len)) { ++ msg.req_size = nlmsg_attrlen(req_nlh, GENL_HDRLEN + TIPC_GENL_HDRLEN); ++ if (msg.req_size && !TLV_OK(msg.req, msg.req_size)) { + msg.rep = tipc_get_err_tlv(TIPC_CFG_NOT_SUPPORTED); + err = -EOPNOTSUPP; + goto send; diff --git a/queue-4.14/tun-mark-small-packets-as-owned-by-the-tap-sock.patch b/queue-4.14/tun-mark-small-packets-as-owned-by-the-tap-sock.patch new file mode 100644 index 00000000000..b38ddeae813 --- /dev/null +++ b/queue-4.14/tun-mark-small-packets-as-owned-by-the-tap-sock.patch @@ -0,0 +1,43 @@ +From foo@baz Thu 08 Aug 2019 08:59:04 AM CEST +From: Alexis Bauvin +Date: Tue, 23 Jul 2019 16:23:01 +0200 +Subject: tun: mark small packets as owned by the tap sock + +From: Alexis Bauvin + +[ Upstream commit 4b663366246be1d1d4b1b8b01245b2e88ad9e706 ] + +- v1 -> v2: Move skb_set_owner_w to __tun_build_skb to reduce patch size + +Small packets going out of a tap device go through an optimized code +path that uses build_skb() rather than sock_alloc_send_pskb(). The +latter calls skb_set_owner_w(), but the small packet code path does not. + +The net effect is that small packets are not owned by the userland +application's socket (e.g. QEMU), while large packets are. +This can be seen with a TCP session, where packets are not owned when +the window size is small enough (around PAGE_SIZE), while they are once +the window grows (note that this requires the host to support virtio +tso for the guest to offload segmentation). +All this leads to inconsistent behaviour in the kernel, especially on +netfilter modules that uses sk->socket (e.g. xt_owner). + +Fixes: 66ccbc9c87c2 ("tap: use build_skb() for small packet") +Signed-off-by: Alexis Bauvin +Acked-by: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tun.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1350,6 +1350,7 @@ static struct sk_buff *tun_build_skb(str + + skb_reserve(skb, pad - delta); + skb_put(skb, len + delta); ++ skb_set_owner_w(skb, tfile->socket.sk); + get_page(alloc_frag->page); + alloc_frag->offset += buflen; + -- 2.47.3